Feeds

NSA coughs to 1000s of unlawful acts of snooping on US soil since 2008

Oversight judge admits: 'I've no idea what the true figure is'

Build a business case: developing custom apps

The NSA violated privacy laws thousands of times in the last five years by spying on US citizens, an internal audit by the super-snoopers has disclosed.

The Washington Post reports that the intelligence agency also overstepped its legal remit since Congress gave it broad powers in 2008.

Most of the violations involved unauthorised surveillance of Americans and foreigners in the US. Problems arose thanks to clumsy operator mistakes, insufficient or inaccurate research, failures to follow the correct procedures and even typos.

Meanwhile, system errors led to further problems, such as failures to recognise foreign phone users who roamed onto US soil but whose data was hoovered up anyway.

An NSA internal audit, leaked to the Washington Post by former NSA contractor turned whistleblower Edward Snowden, logs 2,776 incidents of "unauthorized collection, storage, access to or distribution of legally protected communications" in the year to May 2012.

Most were accidental mishaps where procedures were not followed correctly, but some involved violations of a court order - such as a February 2012 incident involving the unauthorised retention of 3,000 files that a surveillance court had ordered the NSA to destroy.

Violations include unauthorised access to intercepted communications and the use of automated systems without built-in safeguards to prevent unlawful surveillance.

NSA 'marking its own homework'

The audit only covers figures from the NSA's Maryland headquarters and Washington DC offices and not those from its regional collection centres.

In some cases, the NSA decided that it didn't need to report the unintended surveillance of US residents and citizens. One glaring example of unreported dragnet overreach occurred in 2008 when a programming error resulted in the interception of a large number of calls made in the Washington DC area: buggy software confused the US telephone area code 202 with intentional calls made to Egypt (country code +20).

In another case the Foreign Intelligence Surveillance Court was not told about a data collection programme run by the NSA until months after it was up and running. The court eventually ruled in October 2011 that hoovering up international communications passing through fibre-optic cables in the United States, was unconstitutional because Americans' emails and other net traffic was collected. The agency was ordered to drop the collection programme within 30 days unless it figured out a way to filter out US citizens' traffic.

Evading official scrutiny

Another leaked document instructs NSA analysts about how to explain their targeting decisions without giving "extraneous information" to overseers in the Department of Justice, Congress or the special court that scrutinises surveillance. NSA personnel are "instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence", the Post reports.

This relates to an internal NSA document [PDF] that offers rationales for targeting and provides examples of the kinds of people the NSA may spy on - and that's besides amassing 1.6 per cent of the world's net communications. The document makes for an interesting read.

Other training files explain that analysts do not need to report "incidental" collection of data from US citizens, green-card holders or companies to the NSA Inspector General because (in the opinion of the NSA) it is not deemed a violation of the rules.

Signals intelligence spooks are allowed to use anonymised sets of data routinely, and with supervisory permission they may unmask the identities of US persons in reports to the agency's clients, such as the CIA and US military, among others.

FISA judge: We can't investigate non-compliance

In response to the Post's revelations about its violation of privacy rules, the NSA said it attempts to identify problems "at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down".

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post in an interview.

The chief judge of the secret court tasked with overseeing the NSA's dragnet surveillance said his court's powers of scrutiny are limited because it is reliant on government reports of improper spying. There is no independent verification, the Post reports.

"The FISC is forced to rely upon the accuracy of the information that is provided to the Court," its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. "The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders."

The judge's frank admission pulls the rug out from under repeated assurances from President Obama and his officials that the secret intelligence court provides robust oversight of government surveillance. ®

Boost IT visibility and business value

More from The Register

next story
Super Cali signs a kill-switch, campaigners say it's atrocious
Remote-death button bad news for crooks, protesters – and great news for hackers?
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?